CVE-2021-28505
📋 TL;DR
This vulnerability in Arista EOS platforms allows VXLAN match rules in IPv4 access-lists to ignore specified IP protocols when applied to L2/L3 port ingress. This can lead to unintended traffic being permitted through ACLs. Affected users are those running vulnerable Arista EOS versions with VXLAN ACL configurations.
💻 Affected Systems
- Arista EOS (Extensible Operating System)
📦 What is this software?
Eos by Arista
Eos by Arista
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass network segmentation and access control policies, potentially gaining unauthorized access to sensitive network segments or systems.
Likely Case
Network traffic that should be blocked by ACL rules is incorrectly permitted, potentially allowing unauthorized communication between network segments.
If Mitigated
With proper network segmentation and defense-in-depth controls, the impact is limited to potential ACL bypass within affected segments.
🎯 Exploit Status
Exploitation requires sending network traffic that would normally be blocked by affected ACLs. No authentication required as this is a network-level vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.24.6M, 4.25.4M, 4.26.2M, 4.27.0F and later
Vendor Advisory: https://www.arista.com/en/support/advisories-notices/security-advisories/15267-security-advisory-0073
Restart Required: Yes
Instructions:
1. Check current EOS version. 2. Upgrade to patched version. 3. Reload the switch to apply the fix. 4. Verify ACL functionality post-upgrade.
🔧 Temporary Workarounds
Remove VXLAN ACL rules
allRemove VXLAN match rules from IPv4 access-lists applied to L2/L3 port ingress
no ip access-list <ACL_NAME>
ip access-list <ACL_NAME>
remove VXLAN match rules
Alternative ACL placement
allApply affected ACLs to different interfaces or directions where VXLAN rules are not needed
no ip access-group <ACL_NAME> in
ip access-group <ACL_NAME> out
🧯 If You Can't Patch
- Implement network segmentation controls at multiple layers (firewalls, VLANs)
- Monitor network traffic for unexpected patterns that might indicate ACL bypass
🔍 How to Verify
Check if Vulnerable:
Check EOS version and verify if VXLAN match rules exist in IPv4 ACLs applied to L2/L3 port ingressCheck Version:
show version | include Software image versionVerify Fix Applied:
After upgrade, test ACL functionality with traffic that should be blocked by VXLAN rules📡 Detection & Monitoring
Log Indicators:
- Unexpected traffic patterns through ACLs
- ACL permit/deny counters showing anomalies
Network Indicators:
- Traffic bypassing intended ACL rules
- Unexpected communication between network segments
SIEM Query:
network_traffic WHERE (src_ip IN sensitive_segment AND dest_ip IN sensitive_segment) AND NOT acl_match